Attackers are using drills to physically compromise ATMs so that they can steal thousands of dollars from the financial institutions operating them.
In the fall of 2016, a bank client revealed one of their ATMs that attackers had emptied to Kaspersky Lab. The only indication of physical tampering was a golf ball-sized hole someone had drilled into the machine next to the PIN pad. Law enforcement later arrested a suspect and found a laptop and cable in their possession.
These discoveries piqued the curiosity of Igor Soumenkov, a researcher at the Russian security firm. He said so at the company’s annual Kaspersky Analyst Summit. As quoted by WIRED:
“We wanted to know: To what extent can you control the internals of the ATM with one drilled hole and one connected wire? It turns out we can do anything with it. The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer.”
To get to the bottom of Soumenkov’s question, Kaspersky’s researchers transported the same ATM model to their lab and removed the machine’s front panel to look inside. They found a wire that connected all the ATM’s components, from the user interface to the cash dispenser. From their subsequent analysis, they also identified only a weak XOR cipher and no suitable authentication protecting the communications exchanged between these components.
WIRED’s Andy Greenberg puts this setup into perspective:
“In practical terms, that means any part of the ATM could essentially send commands to any other part, allowing an attacker to spoof commands to the dispenser, giving them the appearance of coming from the ATM’s own trusted computer.”
From there, it didn’t take long for the researchers to build a gadget consisting of a breadboard, an Atmega microcontroller, some capacitors, an adapter, and a 9-volt battery. The device was much smaller than the laptop that law enforcement had confiscated from the suspect they’d arrested. But it still had the ability to issue commands that instructed the ATM to empty itself by connecting to the machine’s central wire through the drilled hole.
That Kaspersky’s researchers confirmed this attack demonstrates the host of threats confronting financial organizations these days. Banks need to contend not only with Tyupkin and other ATM-minded malware. They also need to protect themselves against a growing array of physical attacks, including those using explosive material.
To defend against physical attacks, financial organizations should use cameras and other security systems to deter criminals who might want to tamper with their ATM machines. Additionally, they should consider locating their ATMs inside and not on their outdoor premises.